On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote:
> On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote:
> > More soft/anecdotal:
> > 
> > When executing "sudo -i" or "sudo -iu" the first time, we can expect
> > a several second delay before the command completes. If we then exit
> > the session and re-execute the command, it will complete almost
> > instantly. So whatever cache is holding this information, if we
> > could increase its duration, that would certainly make our pain
> > less. Is this a settable value?
> > 
> > Entering a password into a screensaver is particularly painful. 10+
> > seconds before the screensaver will exit.
> > 
> > We are looking at environmental possibilities, like interfaces and
> > such. This machine is running on a VMware VM, but we've had success
> > deploying IPA on VMs in the past, and our faster network is running
> > VMs as well (with one physical box).
> 
> Can you try increasing this option:
> 
>        pam_id_timeout (integer)
>            For any PAM request while SSSD is online, the SSSD will attempt to
>            immediately update the cached identity information for the user in
>            order to ensure that authentication takes place with the latest
>            information.
> 
>            A complete PAM conversation may perform multiple PAM requests, such
>            as account management and session opening. This option controls (on
>            a per-client-application basis) how long (in seconds) we can cache
>            the identity information to avoid excessive round-trips to the
>            identity provider.
> 
>            Default: 5

I should also have explicitly said that the option belongs to the [pam]
section.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to